b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nQuick Reaction Report\n\n\n\n\n       Results of Technical Network\n       Vulnerability Assessment:\n       EPA\xe2\x80\x99s Erlanger Building\n       Report No. 10-P-0211\n\n       September 7, 2010\n\x0cReport Contributors:   Rudolph M. Brevard\n                       Charles Dade\n                       Cheryl Reid\n                       Michael Goode, Jr.\n                       Vincent Campbell\n\x0c                       U.S. Environmental Protection Agency \t                                              10-P-0211\n                                                                                                    September 7, 2010\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                           Catalyst for Improving the Environment\n\n\nWhy We Did This Review           Results of Technical Network Vulnerability\nAs part of the annual audit of\n                                 Assessment: EPA\xe2\x80\x99s Erlanger Building\nthe U.S. Environmental\nProtection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)       What We Found\ncompliance with the Federal\nInformation Security             Vulnerability testing of EPA\xe2\x80\x99s Erlanger Building network conducted in June 2010\nManagement Act, the Office       identified Internet Protocol addresses with numerous high-risk and medium-risk\nof Inspector General (OIG)       vulnerabilities. The OIG met with EPA information security personnel to discuss\nconducted network                the findings. If not resolved, these vulnerabilities could expose EPA\xe2\x80\x99s assets to\nvulnerability testing of the     unauthorized access and potentially harm the Agency\xe2\x80\x99s network.\nAgency\xe2\x80\x99s network devices in\nEPA\xe2\x80\x99s Erlanger Building           What We Recommend\nlocated in Erlanger, Kentucky.\n                                 We recommend that the Director, Enterprise Desktop Solutions Division, Office\nBackground                       of Environmental Information, and the Director, Information Resources\n                                 Management Division \xe2\x80\x93 Cincinnati, Office of Administration and Resources\nNetwork vulnerability testing    Management:\nwas conducted to identify any\nnetwork risk vulnerabilities     \xe2\x80\xa2\t Provide the OIG a status update for all identified high-risk and medium-risk\nand to present the results to       vulnerability findings contained in this report.\nthe appropriate EPA officials,\nwho can then promptly            \xe2\x80\xa2\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated Security\nremediate or document               Self-Evaluation and Remediation Tracking system for all vulnerabilities that\nplanned actions to resolve the      cannot be corrected within 30 days of this report.\nvulnerability.                   \xe2\x80\xa2\t Perform a technical vulnerability assessment test of assigned network\n                                    resources within 60 days to confirm completion of remediation activities.\n\n                                 Due to the sensitive nature of the report\xe2\x80\x99s technical findings, the attachments are\nFor further information,         not available to the public.\ncontact our Office of\nCongressional, Public Affairs\nand Management at\n(202) 566-2391.\n\nTo view the full report,\nclick on the following link:\nwww.epa.gov/oig/reports/2010/\n20100907-10-P-0211.pdf\n\x0c                          UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                       WASHINGTON, D.C. 20460\n\n\n                                                                                              THE INSPECTOR GENERAL\n\n\n\n\n                                               September 7, 2010\n\nMEMORANDUM\n\nSUBJECT:\t                  Results of Technical Network Vulnerability Assessment:\n                           EPA\xe2\x80\x99s Erlanger Building\n                           Report No. 10-P-0211\n\n\nFROM:                      Arthur A. Elkins, Jr.\n                           Inspector General\n\nTO:\t                       Johnny Davis, Jr.\n                           Director, Enterprise Desktop Solutions Division\n                           Office of Environmental Information\n\n                           Aundair Kinney\n                           Director, Information Resources Management Division \xe2\x80\x93 Cincinnati\n                           Office of Administration and Resources Management\n\n\nAttached is the final technical network vulnerability assessment report prepared by the Office of\nInspector General (OIG) of the U.S. Environmental Protection Agency (EPA).1 The site\nassessment was conducted in conjunction with the Fiscal Year 2010 Federal Information\nSecurity Management Act audit. Vulnerability testing of EPA\xe2\x80\x99s Erlanger Building network\nconducted in June 2010 identified Internet Protocol addresses with numerous high-risk and\nmedium-risk vulnerabilities.\n\nWe performed this audit from May through August 2010 at EPA\xe2\x80\x99s Erlanger, Kentucky building.\nWe performed this audit in accordance with generally accepted government auditing standards.\nThese standards require that we plan and perform the audit to obtain sufficient and appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on the audit\nobjectives. We believe the evidence obtained provides a reasonable basis for our findings and\nconclusions.\n\n\n\n\n1\n A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the\nvulnerabilities in a tested information system. A vulnerability assessment does not include a penetration test which\nwould attempt to use the identified vulnerabilities to gain further access into the tested information system.\n\n\n                                                          1\n\n\x0c                                                                                         10-P-0211 \n\n\n\nWe conducted testing to identify the existence of commonly known vulnerabilities using a\ncommercially available network vulnerability assessment tool recognized by the National\nInstitute of Standards and Technology. We tested Internet Protocol addresses provided by\nAgency representatives and identified as being associated with network resources controlled by\nyour offices. We used the risk ratings provided by the vulnerability software to determine the\nlevel of harm a vulnerability could cause to a network resource. We accepted the results from the\nsoftware tool. The vulnerabilities identified by the software are disclosed in the attachments.\nOn July 8, 2010, management representatives sent a status update indicating actions taken to\ncorrect some of the identified vulnerabilities.\n\nThe estimated cost for performing these tests and compiling this report is $4,858.\n\nRecommendations\n\nWe recommend that the Director, Enterprise Desktop Solutions Division, Office of\nEnvironmental Information; and the Director, Information Resources Management Division \xe2\x80\x93\nCincinnati, Office of Administration and Resources Management:\n\n   1.\t Provide the OIG a status update for all identified high-risk and medium-risk vulnerability\n       findings contained in this report.\n\n   2.\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated Security Self-\n\n       Evaluation and Remediation Tracking system for all vulnerabilities that cannot be \n\n       corrected within 30 days of this report. \n\n\n   3.\t Perform a technical vulnerability assessment test of assigned network resources within\n       60 days to confirm completion of remediation activities.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 30 calendar days. You should include a corrective actions plan for agreed-upon\nactions, including milestone dates.\n\nDue to the sensitive nature of the report\xe2\x80\x99s technical findings, the full report will not be made\navailable to the public. However, the OIG plans to publish the unrestricted version of this report,\nyour response, and any corrective action plans on OIG\xe2\x80\x99s Website, which is available to the\npublic. Therefore, we request that you provide your response to Recommendation 1 in a separate\ndocument.\n\nIf you or your staff have any questions regarding this report, please contact Rudy Brevard at\n(202) 566-0893 or brevard.rudy@epa.gov.\n\n\n\n\n                                                2\n\n\x0c                                                                                                                                            10-P-0211\n\n\n\n                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                                  POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                                BENEFITS (in $000s)\n\n                                                                                                                      Planned\n    Rec.    Page                                                                                                     Completion   Claimed    Agreed To\n    No.      No.                          Subject                          Status1         Action Official              Date      Amount      Amount\n\n     1        2     Provide the OIG a status update for all identified       U       Director, Enterprise Desktop\n                    high-risk and medium-risk vulnerability findings                 Solutions Division, Office of\n                    contained in this report.                                         Environmental Information\n                                                                                                 and\n                                                                                         Director, Information\n                                                                                      Resources Management\n                                                                                     Division \xe2\x80\x93 Cincinnati, Office\n                                                                                        of Administration and\n                                                                                      Resources Management\n\n     2        2     Create plans of action and milestones in the             U       Director, Enterprise Desktop\n                    Agency\xe2\x80\x99s Automated Security Self-Evaluation and                  Solutions Division, Office of\n                    Remediation Tracking system for all vulnerabilities               Environmental Information\n                    that cannot be corrected within 30 days of this                              and\n                    report.\n                                                                                         Director, Information\n                                                                                      Resources Management\n                                                                                     Division \xe2\x80\x93 Cincinnati, Office\n                                                                                        of Administration and\n                                                                                      Resources Management\n\n     3        2     Perform a technical vulnerability assessment test of     U       Director, Enterprise Desktop\n                    assigned network resources within 60 days to                     Solutions Division, Office of\n                    confirm completion of remediation activities.                     Environmental Information\n                                                                                                 and\n                                                                                         Director, Information\n                                                                                      Resources Management\n                                                                                     Division \xe2\x80\x93 Cincinnati, Office\n                                                                                        of Administration and\n                                                                                      Resources Management\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                                 3\n\n\x0c                                                                                      10-P-0211\n\n\n                                                                                  Appendix A\n\n                                       Distribution\n\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nAssistant Administrator for Administration and Resources Management\nDirector, Enterprise Desktop Solutions Division, Office of Environmental Information\nDirector, Information Resources Management Division \xe2\x80\x93 Cincinnati, Office of Administration and\n   Resources Management\nActing Senior Agency Information Security Officer\nActing Director, Technology and Information Security Staff\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nAudit Follow-up Coordinator, Office of Environmental Information\nAudit Follow-up Coordinator, Office of Administration and Resources Management\nInspector General\n\n\n\n\n                                                4\n\n\x0c'